protecting network assets
Post on 10-Jan-2016
Embed Size (px)
DESCRIPTIONProtecting Network Assets. CAMP: Bridging Security and Identity Management Christopher Misra 14 February 2008 Tempe, AZ. Agenda- DRAFT, needs to be updates. Automated Security and Policy Enforcement History New Challenges Background/Roles of: NAC IdM Network Segmentation - PowerPoint PPT Presentation
Agenda- DRAFT, needs to be updatesAutomated Security and Policy EnforcementHistoryNew ChallengesBackground/Roles of:NACIdMNetwork SegmentationWhat might we do?Firewall traversalGrid caseStandards
Session AbstractCan IAM be helpful in managing network intrusions and access policies? Can IAM correctly correlate identity to an endpoint device by combining network registration and personal identification? Can coupling network capabilities and IAM replace the use of IP addresses as the criterion for access with identity, roles, and related attributes?This session will explore these questions and how one can identify the person behind the device or address.
Managing Network Intrusions?Initial NAC deployments were not driven by architectural decisionsLarge numbers of unmanaged systems connected to campus networkPrimarily in residence hallsBattle scars from Code Red, Nimda, and BlasterHowever, we did leverage campus IAM successfullyAnd we effectively created a device registry Even if we didnt integrate this data with our IAM
How we got hereor, before NAC was coolWhy Automate Security and Policy Enforcement?From the SALSA-Netauth document Strategies for Automating Network Policy Enforcement:
(A) major security challenge facing university residential networks and other large-scale end-user networks is the thousands of privately owned and unmanaged computers directly connected to an institution's relatively open, high-speed Internet connections. Security policy enforcement is often lax due to a lack of central control over end-user computers and an inability to tie the actions of these computers to particular individuals. A few times a year there are surge events, including the predictable start of each semester and the unpredictable and increasingly frequent reactions to large-scale security incidents, that require massive support intervention.
Even though it wasnt cool, we implemented NAC
Take Enforcement Action and return to Policy Decision
Lookup to Policy Repository
Network Transitionsto New State
Policy Action:None Required
Network Transitions to a fully compliant or non-compliant final state.
Policy Action: Move to new state
External Event Occurs Policy Decision Check Required
Policy Action:EnforcementAction Required
And here we areI guess NAC is cool now..Network Access Control: Vendor Definitions
Using the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources Cisco
combines user identity and device security state information with network location information, to create a unique access control policy - Juniper
Why did we implement NAC systems?Only automated approaches can scale and respond rapidly to large-scale incidents.
Preventative policy enforcement reduces risk:overall number of security vulnerabilitiesthe success of any particular attack technique.
Automated remediation systems have a positive impact on a large number of hosts with a relatively small time investment from computing staff.
Network Access ControlHigher education created many early systems of what is now termed NAC (Network Access Control)Southwestern Netreg, CMU Netreg, Packetfence, othersCurrently there are many commercial offerings in the space30+ vendors at last countMajor deployments by Cisco, Microsoft, Juniper and others
Network Access Control in Higher EdCharacteristics of higher ed networks lead to unique challengesLarge numbers of unmanaged systems connected to campus networkResidence hallsHeterogeneous computing baseFrequently no ubiquitous administration structureComplex network Use Cases
Network Access Control in Higher EdAssociating a device with an identityIs the user a member of the campus community?Leveraging campus IdMDetermining a hosts postureIs the host compliant with local policy?Measuring device state against campus IT security standardsRole-based network assignmentWhat network perimeter is appropriate for this host?vLAN, subnet, firewalls, ids
NAC BasicsRegistration options include:Open DHCP (free love)DHCP with MAC registration (netreg)Web middlebox (portal)802.1x (supplicant) Enforcement types include:vLAN isolation/DHCP scope isolationNetwork-based firewall/Host-based filtersClass of Service (rate limit)
NAC: Posture assessmentOriginal implementations used active network-based scanningWindows XP SP2 rained on this paradeBut security staff didnt complianceMany sites migrated to client-based posture assessmentRunning code on endpoints to validate complianceCould be implemented in the 802.1x supplicant
NAC is Complicated
Policy Enforcement Point (PEP)
Identity / Integrity
Access Requestor (AR)
Network Detection Point (NDP)
Policy Decision Point (PDP)
Data Repository (DR)
Policy,Authentication, Authorization DB
Federations have a role here alsoEnable members of one institution to authenticate to the wireless network at another institution using their home credentials E,g, eduroam which stands for Education Roaming, is a RADIUS-based infrastructure that uses 802.1X security technology to allow for inter-institutional roaming.Being part of eduroam allows users visiting another institution connected to eduroam to log on to the WLAN using the same credentials(username and password) the user would use if he were at his home institution. Effectively need to achieve identity discoveryAlso applicable to Grid environments
Correlating identity to device to privilegeWeve done a pretty effective job so farBut the drivers were not traditional IAM driversCan we assign a meaningful Level of Assurance to this correlation?Not so sure.Are we willing to use this correlation to grant privileges?Dynamic vLAN assignments?Firewall traversal capabiltiies?
Correlating identity to device to privilegeWe need to understand the relationship between user identity, device identity, and host integrity (posture)This is complicated further in a federated environmentDoes (user + device) == privilege?What about users with multiple roles?Is this a network, security, or idm problem?D) All of the above
Perhaps we need to step back and take an architectural view of this
Drivers for NAC standards Community desire for interoperable componentsHeterogeneous campus environmentModular network architectureAbility to use commercial and open source componentsVendor-made switchesOpen-source registration and remediation
NAC Standards spaceTrusted Computing GroupTrusted Network Connect Vendor standardsCisco NACMicrosoft NAPIETF NEAChartered only for client-server protocols